mirror of
https://github.com/zitadel/zitadel.git
synced 2025-03-01 12:27:23 +00:00
3f6ea78c87
# Which Problems Are Solved Currently ZITADEL defines organization and instance member roles and permissions in defaults.yaml. The permission check is done on API call level. For example: "is this user allowed to make this call on this org". This makes sense on the V1 API where the API is permission-level shaped. For example, a search for users always happens in the context of the organization. (Either the organization the calling user belongs to, or through member ship and the x-zitadel-orgid header. However, for resource based APIs we must be able to resolve permissions by object. For example, an IAM_OWNER listing users should be able to get all users in an instance based on the query filters. Alternatively a user may have user.read permissions on one or more orgs. They should be able to read just those users. # How the Problems Are Solved ## Role permission mapping The role permission mappings defined from `defaults.yaml` or local config override are synchronized to the database on every run of `zitadel setup`: - A single query per **aggregate** builds a list of `add` and `remove` actions needed to reach the desired state or role permission mappings from the config. - The required events based on the actions are pushed to the event store. - Events define search fields so that permission checking can use the indices and is strongly consistent for both query and command sides. The migration is split in the following aggregates: - System aggregate for for roles prefixed with `SYSTEM` - Each instance for roles not prefixed with `SYSTEM`. This is in anticipation of instance level management over the API. ## Membership Current instance / org / project membership events now have field table definitions. Like the role permissions this ensures strong consistency while still being able to use the indices of the fields table. A migration is provided to fill the membership fields. ## Permission check I aimed keeping the mental overhead to the developer to a minimal. The provided implementation only provides a permission check for list queries for org level resources, for example users. In the `query` package there is a simple helper function `wherePermittedOrgs` which makes sure the underlying database function is called as part of the `SELECT` query and the permitted organizations are part of the `WHERE` clause. This makes sure results from non-permitted organizations are omitted. Under the hood: - A Pg/PlSQL function searches for a list of organization IDs the passed user has the passed permission. - When the user has the permission on instance level, it returns early with all organizations. - The functions uses a number of views. The views help mapping the fields entries into relational data and simplify the code use for the function. The views provide some pre-filters which allow proper index usage once the final `WHERE` clauses are set by the function. # Additional Changes # Additional Context Closes #9032 Closes https://github.com/zitadel/zitadel/issues/9014 https://github.com/zitadel/zitadel/issues/9188 defines follow-ups for the new permission framework based on this concept.
166 lines
5.4 KiB
Go
166 lines
5.4 KiB
Go
package projection
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
|
|
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
|
|
"github.com/zitadel/zitadel/internal/feature"
|
|
feature_v1 "github.com/zitadel/zitadel/internal/repository/feature"
|
|
"github.com/zitadel/zitadel/internal/repository/feature/feature_v2"
|
|
"github.com/zitadel/zitadel/internal/repository/instance"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
const (
|
|
InstanceFeatureTable = "projections.instance_features2"
|
|
|
|
InstanceFeatureInstanceIDCol = "instance_id"
|
|
InstanceFeatureKeyCol = "key"
|
|
InstanceFeatureCreationDateCol = "creation_date"
|
|
InstanceFeatureChangeDateCol = "change_date"
|
|
InstanceFeatureSequenceCol = "sequence"
|
|
InstanceFeatureValueCol = "value"
|
|
)
|
|
|
|
type instanceFeatureProjection struct{}
|
|
|
|
func newInstanceFeatureProjection(ctx context.Context, config handler.Config) *handler.Handler {
|
|
return handler.NewHandler(ctx, &config, new(instanceFeatureProjection))
|
|
}
|
|
|
|
func (*instanceFeatureProjection) Name() string {
|
|
return InstanceFeatureTable
|
|
}
|
|
|
|
func (*instanceFeatureProjection) Init() *old_handler.Check {
|
|
return handler.NewTableCheck(handler.NewTable(
|
|
[]*handler.InitColumn{
|
|
handler.NewColumn(InstanceFeatureInstanceIDCol, handler.ColumnTypeText),
|
|
handler.NewColumn(InstanceFeatureKeyCol, handler.ColumnTypeText),
|
|
handler.NewColumn(InstanceFeatureCreationDateCol, handler.ColumnTypeTimestamp),
|
|
handler.NewColumn(InstanceFeatureChangeDateCol, handler.ColumnTypeTimestamp),
|
|
handler.NewColumn(InstanceFeatureSequenceCol, handler.ColumnTypeInt64),
|
|
handler.NewColumn(InstanceFeatureValueCol, handler.ColumnTypeJSONB),
|
|
},
|
|
handler.NewPrimaryKey(InstanceFeatureInstanceIDCol, InstanceFeatureKeyCol),
|
|
))
|
|
}
|
|
|
|
func (*instanceFeatureProjection) Reducers() []handler.AggregateReducer {
|
|
return []handler.AggregateReducer{{
|
|
Aggregate: feature_v2.AggregateType,
|
|
EventReducers: []handler.EventReducer{
|
|
{
|
|
Event: feature_v1.DefaultLoginInstanceEventType,
|
|
Reduce: reduceSetDefaultLoginInstance_v1,
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceResetEventType,
|
|
Reduce: reduceInstanceResetFeatures,
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceLoginDefaultOrgEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceTriggerIntrospectionProjectionsEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceLegacyIntrospectionEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceUserSchemaEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceTokenExchangeEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceActionsEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceImprovedPerformanceEventType,
|
|
Reduce: reduceInstanceSetFeature[[]feature.ImprovedPerformanceType],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceWebKeyEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceDebugOIDCParentErrorEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceDisableUserTokenEvent,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceEnableBackChannelLogout,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: feature_v2.InstanceLoginVersion,
|
|
Reduce: reduceInstanceSetFeature[*feature.LoginV2],
|
|
},
|
|
{
|
|
Event: feature_v2.InstancePermissionCheckV2,
|
|
Reduce: reduceInstanceSetFeature[bool],
|
|
},
|
|
{
|
|
Event: instance.InstanceRemovedEventType,
|
|
Reduce: reduceInstanceRemovedHelper(InstanceDomainInstanceIDCol),
|
|
},
|
|
},
|
|
}}
|
|
}
|
|
|
|
func reduceSetDefaultLoginInstance_v1(event eventstore.Event) (*handler.Statement, error) {
|
|
e, ok := event.(*feature_v1.SetEvent[feature_v1.Boolean])
|
|
if !ok {
|
|
return nil, zerrors.ThrowInvalidArgumentf(nil, "PROJE-in2Xo", "reduce.wrong.event.type %T", event)
|
|
}
|
|
return reduceInstanceSetFeature[bool](
|
|
feature_v1.DefaultLoginInstanceEventToV2(e),
|
|
)
|
|
}
|
|
|
|
func reduceInstanceSetFeature[T any](event eventstore.Event) (*handler.Statement, error) {
|
|
e, ok := event.(*feature_v2.SetEvent[T])
|
|
if !ok {
|
|
return nil, zerrors.ThrowInvalidArgumentf(nil, "PROJE-uPh8O", "reduce.wrong.event.type %T", event)
|
|
}
|
|
f, err := e.FeatureJSON()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
columns := []handler.Column{
|
|
handler.NewCol(InstanceFeatureInstanceIDCol, e.Aggregate().ID),
|
|
handler.NewCol(InstanceFeatureKeyCol, f.Key.String()),
|
|
handler.NewCol(InstanceFeatureCreationDateCol, handler.OnlySetValueOnInsert(InstanceFeatureTable, e.CreationDate())),
|
|
handler.NewCol(InstanceFeatureChangeDateCol, e.CreationDate()),
|
|
handler.NewCol(InstanceFeatureSequenceCol, e.Sequence()),
|
|
handler.NewCol(InstanceFeatureValueCol, f.Value),
|
|
}
|
|
return handler.NewUpsertStatement(e, columns[0:2], columns), nil
|
|
}
|
|
|
|
func reduceInstanceResetFeatures(event eventstore.Event) (*handler.Statement, error) {
|
|
e, ok := event.(*feature_v2.ResetEvent)
|
|
if !ok {
|
|
return nil, zerrors.ThrowInvalidArgumentf(nil, "PROJE-roo6A", "reduce.wrong.event.type %T", event)
|
|
}
|
|
return handler.NewDeleteStatement(e, []handler.Condition{
|
|
handler.NewCond(InstanceFeatureInstanceIDCol, e.Aggregate().ID),
|
|
}), nil
|
|
}
|